[PATCH v2] scsi: pm8001: Fix data race in sysfs SAS address read
From: Chengfeng Ye
Date: Thu Jan 15 2026 - 12:55:09 EST
From: Chengfeng Ye <cyeaa@xxxxxxxxxxxxxx>
Fix a data race where pm8001_ctl_host_sas_address_show() reads
pm8001_ha->sas_addr without synchronization while it can be written
from interrupt context in pm8001_mpi_get_nvmd_resp().
The write path is already protected by pm8001_ha->lock (held by
process_oq() when calling pm8001_mpi_get_nvmd_resp()),
but the sysfs read path accesses the 8-byte SAS address without
any synchronization, allowing torn reads.
Thread interleaving scenario:
Thread A (sysfs read) | Thread B (interrupt context)
-------------------------------------+------------------------------------
pm8001_ctl_host_sas_address_show() |
|- read sas_addr[0..3] |
| process_oq()
| |- spin_lock_irqsave(&lock)
| |- process_one_iomb()
| | |- pm8001_mpi_get_nvmd_resp()
| | |- memcpy(sas_addr, new, 8)
| | /* writes all 8 bytes */
| |- spin_unlock_irqrestore(&lock)
|- read sas_addr[4..7] |
/* gets mix of old and new */ |
Fix by protecting the sysfs read with the same pm8001_ha->lock
using guard(spinlock_irqsave) for automatic lock cleanup.
Signed-off-by: Chengfeng Ye <cyeaa@xxxxxxxxxxxxxx>
---
V1 -> V2: Use guard instead of lock/unlock pair
drivers/scsi/pm8001/pm8001_ctl.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/pm8001/pm8001_ctl.c b/drivers/scsi/pm8001/pm8001_ctl.c
index cbfda8c04e95..200ee6bbd413 100644
--- a/drivers/scsi/pm8001/pm8001_ctl.c
+++ b/drivers/scsi/pm8001/pm8001_ctl.c
@@ -311,6 +311,8 @@ static ssize_t pm8001_ctl_host_sas_address_show(struct device *cdev,
struct Scsi_Host *shost = class_to_shost(cdev);
struct sas_ha_struct *sha = SHOST_TO_SAS_HA(shost);
struct pm8001_hba_info *pm8001_ha = sha->lldd_ha;
+
+ guard(spinlock_irqsave)(&pm8001_ha->lock);
return sysfs_emit(buf, "0x%016llx\n",
be64_to_cpu(*(__be64 *)pm8001_ha->sas_addr));
}
--
2.25.1